diff options
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/.git-dpm | 4 | ||||
| -rw-r--r-- | debian/changelog | 1 | ||||
| -rw-r--r-- | debian/patches/no-dsa-host-key-by-default.patch | 83 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
4 files changed, 87 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 53fbcd41e..6f9925b66 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
| 2 | e346421ca6852fbf9f95cf0e764ecc345e5ce21d | 2 | 79d4110c92f82de854b10b2d96df9daaaaeaec3a |
| 3 | e346421ca6852fbf9f95cf0e764ecc345e5ce21d | 3 | 79d4110c92f82de854b10b2d96df9daaaaeaec3a |
| 4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
| 5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
| 6 | openssh_7.4p1.orig.tar.gz | 6 | openssh_7.4p1.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index a7a936707..a65e90c78 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -5,6 +5,7 @@ openssh (1:7.4p1-6) UNRELEASED; urgency=medium | |||
| 5 | gone. | 5 | gone. |
| 6 | * Document sshd_config changes that may be needed following the removal of | 6 | * Document sshd_config changes that may be needed following the removal of |
| 7 | protocol 1 support from sshd (closes: #851573). | 7 | protocol 1 support from sshd (closes: #851573). |
| 8 | * Remove ssh_host_dsa_key from HostKey default (closes: #850614). | ||
| 8 | 9 | ||
| 9 | -- Colin Watson <cjwatson@debian.org> Fri, 06 Jan 2017 08:40:14 +0000 | 10 | -- Colin Watson <cjwatson@debian.org> Fri, 06 Jan 2017 08:40:14 +0000 |
| 10 | 11 | ||
diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch new file mode 100644 index 000000000..cd5bd34a4 --- /dev/null +++ b/debian/patches/no-dsa-host-key-by-default.patch | |||
| @@ -0,0 +1,83 @@ | |||
| 1 | From 79d4110c92f82de854b10b2d96df9daaaaeaec3a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Colin Watson <cjwatson@debian.org> | ||
| 3 | Date: Mon, 16 Jan 2017 13:53:04 +0000 | ||
| 4 | Subject: Remove ssh_host_dsa_key from HostKey default | ||
| 5 | |||
| 6 | The client no longer accepts DSA host keys, and servers using the | ||
| 7 | default HostKey setting should have better host keys available. | ||
| 8 | |||
| 9 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662 | ||
| 10 | Bug-Debian: https://bugs.debian.org/850614 | ||
| 11 | Last-Update: 2017-01-16 | ||
| 12 | |||
| 13 | Patch-Name: no-dsa-host-key-by-default.patch | ||
| 14 | --- | ||
| 15 | servconf.c | 2 -- | ||
| 16 | sshd.8 | 7 +++---- | ||
| 17 | sshd_config | 1 - | ||
| 18 | sshd_config.5 | 7 +++---- | ||
| 19 | 4 files changed, 6 insertions(+), 11 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/servconf.c b/servconf.c | ||
| 22 | index 1cee3d6c..202c4506 100644 | ||
| 23 | --- a/servconf.c | ||
| 24 | +++ b/servconf.c | ||
| 25 | @@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options) | ||
| 26 | /* fill default hostkeys for protocols */ | ||
| 27 | options->host_key_files[options->num_host_key_files++] = | ||
| 28 | _PATH_HOST_RSA_KEY_FILE; | ||
| 29 | - options->host_key_files[options->num_host_key_files++] = | ||
| 30 | - _PATH_HOST_DSA_KEY_FILE; | ||
| 31 | #ifdef OPENSSL_HAS_ECC | ||
| 32 | options->host_key_files[options->num_host_key_files++] = | ||
| 33 | _PATH_HOST_ECDSA_KEY_FILE; | ||
| 34 | diff --git a/sshd.8 b/sshd.8 | ||
| 35 | index 38a72540..e8f1fde8 100644 | ||
| 36 | --- a/sshd.8 | ||
| 37 | +++ b/sshd.8 | ||
| 38 | @@ -167,11 +167,10 @@ This option must be given if | ||
| 39 | is not run as root (as the normal | ||
| 40 | host key files are normally not readable by anyone but root). | ||
| 41 | The default is | ||
| 42 | -.Pa /etc/ssh/ssh_host_dsa_key , | ||
| 43 | -.Pa /etc/ssh/ssh_host_ecdsa_key , | ||
| 44 | -.Pa /etc/ssh/ssh_host_ed25519_key | ||
| 45 | +.Pa /etc/ssh/ssh_host_rsa_key , | ||
| 46 | +.Pa /etc/ssh/ssh_host_ecdsa_key | ||
| 47 | and | ||
| 48 | -.Pa /etc/ssh/ssh_host_rsa_key . | ||
| 49 | +.Pa /etc/ssh/ssh_host_ed25519_key . | ||
| 50 | It is possible to have multiple host key files for | ||
| 51 | the different host key algorithms. | ||
| 52 | .It Fl i | ||
| 53 | diff --git a/sshd_config b/sshd_config | ||
| 54 | index 13cbe2c6..4aea6c72 100644 | ||
| 55 | --- a/sshd_config | ||
| 56 | +++ b/sshd_config | ||
| 57 | @@ -16,7 +16,6 @@ | ||
| 58 | #ListenAddress :: | ||
| 59 | |||
| 60 | #HostKey /etc/ssh/ssh_host_rsa_key | ||
| 61 | -#HostKey /etc/ssh/ssh_host_dsa_key | ||
| 62 | #HostKey /etc/ssh/ssh_host_ecdsa_key | ||
| 63 | #HostKey /etc/ssh/ssh_host_ed25519_key | ||
| 64 | |||
| 65 | diff --git a/sshd_config.5 b/sshd_config.5 | ||
| 66 | index 703a9cdd..8f8fbb66 100644 | ||
| 67 | --- a/sshd_config.5 | ||
| 68 | +++ b/sshd_config.5 | ||
| 69 | @@ -733,11 +733,10 @@ is not to load any certificates. | ||
| 70 | Specifies a file containing a private host key | ||
| 71 | used by SSH. | ||
| 72 | The defaults are | ||
| 73 | -.Pa /etc/ssh/ssh_host_dsa_key , | ||
| 74 | -.Pa /etc/ssh/ssh_host_ecdsa_key , | ||
| 75 | -.Pa /etc/ssh/ssh_host_ed25519_key | ||
| 76 | +.Pa /etc/ssh/ssh_host_rsa_key , | ||
| 77 | +.Pa /etc/ssh/ssh_host_ecdsa_key | ||
| 78 | and | ||
| 79 | -.Pa /etc/ssh/ssh_host_rsa_key . | ||
| 80 | +.Pa /etc/ssh/ssh_host_ed25519_key . | ||
| 81 | .Pp | ||
| 82 | Note that | ||
| 83 | .Xr sshd 8 | ||
diff --git a/debian/patches/series b/debian/patches/series index 7edc511b8..6eae81080 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
| @@ -28,3 +28,4 @@ regress-integrity-robust.patch | |||
| 28 | regress-forwarding-race.patch | 28 | regress-forwarding-race.patch |
| 29 | regress-mktemp.patch | 29 | regress-mktemp.patch |
| 30 | sandbox-x32-workaround.patch | 30 | sandbox-x32-workaround.patch |
| 31 | no-dsa-host-key-by-default.patch | ||